CVE-2025-2171

Name of the Vulnerable Software and Affected Versions: Aviatrix Controller versions prior to 7.1.4208 Aviatrix Controller versions prior to 7.2.5090 Aviatrix Controller versions prior to 8.0.0

Description: The issue concerns the lack of rate limiting on password reset attempts in Aviatrix Controller, allowing adversaries to brute force guess the 6-digit password reset PIN. This has been exploited in real-world incidents, with Mandiant Red Team breaching Aviatrix Controller via authentication bypass and remote code execution flaws, gaining root access and AWS keys.

Recommendations: For Aviatrix Controller versions prior to 7.1.4208, update to version 7.1.4208 or later to enforce rate limiting on password reset attempts. For Aviatrix Controller versions prior to 7.2.5090, update to version 7.2.5090 or later to enforce rate limiting on password reset attempts. For Aviatrix Controller versions prior to 8.0.0, update to version 8.0.0 or later to enforce rate limiting on password reset attempts. As a temporary workaround, consider implementing additional security measures to limit the risk of brute force attacks on password reset PINs, such as monitoring for suspicious activity or implementing a web application firewall.